Allow internal redirect to URI x, but deny external request for x?

Francis Daly francis at
Mon Sep 2 21:02:17 UTC 2019

On Sat, Aug 31, 2019 at 04:55:26PM -0500, J. Lewis Muir wrote:
> On 08/31, Francis Daly wrote:
> > On Sat, Aug 31, 2019 at 09:10:09AM -0500, J. Lewis Muir wrote:

Hi there,

> > Using "realpath" should not affect nginx at all. nginx invites the
> > fastcgi server to use pathname2 instead of pathname1; so the fastcgi
> > server is the only thing that should care.
> Hmm, I might not be understanding this.  The rationale of using
> $realpath_root instead of $document_root was to make it so that a
> new version of the web app could be deployed atomically at any time
> by changing the "current" symlink,
>   fastcgi_param DOCUMENT_ROOT $realpath_root;
>   fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
> So, does that make sense, or am I still not understanding this?  I don't
> know what you mean by "nginx invites the fastcgi server to use pathname2
> instead of pathname1."  What are pathname1 and pathname2?

nginx does not "do" php. nginx does not care what your fastcgi server
will do with the key/value pairs that it sends. nginx cares that the
fastcgi server gives a valid response to the request that nginx makes.

Typically, your fastcgi server will use the value associated with
SCRIPT_FILENAME as "the name of the file to execute". If your fastcgi
server fails to find / read / execute that file, it will return its own
error indication.

(So your "if", or the more common "try_files", is just an early-out,
to sometimes avoid involving the fastcgi server. It may happen that the
file is present when nginx looks for it, but is absent when the fastcgi
server looks for it -- so that case does have to be handled anyway.)

In this case, if $document_root is /srv/www/my-app/current/ and
$realpath_root is /srv/www/my-app/releases/1.0.2/, and the script
name is test.php, then with one config, nginx would send the string
"/srv/www/my-app/current/test.php", and with the other config nginx
would send the string "/srv/www/my-app/releases/1.0.2/test.php".

(That is "pathname1" vs "pathname2".)

So if "one request" involves the fastcgi server reading
"/srv/www/my-app/current/test.php", and then reading a bunch of other
files in the same directory -- then I guess that unfortunate timing
could lead to it reading some files from releases/1.0.1 and some from
releases/1.0.2. (Assuming that it opens the directory afresh each time --
which can't be ruled out.)

But if "the app" involves a http request to part1.php and then a http
request to part2.php (or: a second http request to part1.php), I don't
think that the symlink+realpath thing will prevent those two requests
going to different release versions.

All the best,

Francis Daly        francis at

More information about the nginx mailing list